[sr #111093] Account Registration page information disclosure

2024-07-22 Thread anonymous 
Follow-up Comment #3, sr #111093 (group administration):

Hi Bob,
thank you for reaching out to me.

I marked the ticket as disclosure because I am able to see the structure of
the users table and the actual SQL query being executed.
In my opinion users should not be able to see the raw queries, or database
structure. Or any raw error messages/stack traces in general.

Having this query disclosed I could try to do blind SQL injections by sending
data like '; DROP TABLE users; -- for password/username/real name, for
example. Or trying to change the admin user password hash in database with
same technique.

That said, by having better knowledge about the database structure I could try
difefrent approaches to compromising it either by doing damage (trying drop
queries) or privileges escalation (trying to update all password hashes in
bulk). 

I'll have in mind your advice about uploading images vs. redacting text next
time. Thank you.

Best regards,
Dimitar Nikov


___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.nongnu.org/


signature.asc
Description: PGP signature

[sr #111093] Account Registration page information disclosure

2024-07-22 Thread Bob Proulx 
Follow-up Comment #4, sr #111093 (group administration):

Something that you might not have been aware of is that Savannah runs the
savane software and savane is Free Software and Free Software by definition is
software which is fully known and disclosed.  The full source code that
Savannah is running can be downloaded and studied in detail.

https://git.savannah.gnu.org/cgit/administration/savane.git/

As such the entire structure of the database is already disclosed.  And all of
the SQL queries are already disclosed.



___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.nongnu.org/


signature.asc
Description: PGP signature

[sr #111091] Need to reset mediagoblin "master" branch to match "fixed-master" branch

2024-07-22 Thread Bob Proulx 
Follow-up Comment #12, sr #111091 (group administration):

I just wanted to say that this was excellent teamwork!  Very nice!



___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.nongnu.org/


signature.asc
Description: PGP signature